Security Glitch in TurboTax

A programming glitch in Intuit Inc.'s
TurboTax software has posed a potential security problem for as
many as 150,000 users and may force them to change their passwords,
the company said Thursday.

The glitch affected about 1 percent of the total number of users
of the tax preparation software and has since been fixed, said
Intuit spokeswoman Holly Anderson.

"No customer data has been compromised nor are customers' tax
returns or refunds affected in any way," she said.

The problem affected many of those who used a new feature that
allowed them to import their 1099 investment tax data directly from
their financial institutions to their TurboTax files.

During the import process, the program inadvertently — and
quietly — saved onto the user's computer hard-drive the account
password that gave the user access to their investment information.
For those using TurboTax via Intuit's online services, the account
passwords erroneously were saved onto the company's servers.

The problem lasted from Jan. 31 to March 4, when the company
upgraded its software as a fix. However, some users could have been
affected up through Wednesday, if they chose not to upgrade their
software when prompted by the program.

A more permanent fix was put in place Thursday which forced
every user to upgrade the software before importing investment
data.

The fix automatically deletes the account password that was
saved in the user's computer.

The security risk, which the Mountain View-based financial
software maker characterized as "very remote," stems from a
hacker getting into a user's computer or Intuit's servers, and
obtaining the passwords to gain access to investment data.

Some of the institutions recommended their shareholders change
their account passwords as a precaution. Others, including
Vanguard, took a more extreme measure and disabled the passwords of
shareholders who imported the tax data, forcing them to set new
ones.

"We'd rather have someone upset at us for not being able to get
into their account than to have someone intrude their account,"
said Brian Mattes, a Vanguard principal.

Intuit said it discovered the problem in early March and deleted
the passwords from its servers. By March 4, it issued a software
patch that deleted the password from the user's computer if the
user chose to update their TurboTax software.

The more permanent fix was completed Wednesday so users would
have to get the software upgrade before importing investment data.

In addition to TurboTax, Intuit makes the Quicken and QuickBook
accounting software.